# Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

## Presentation on theme: "Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University."— Presentation transcript:

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University

Outline Motivation and background SPOT algorithm on detecting compromised machines Performance evaluation Summary 2

Motivation Botnet becoming a major security issue –Spamming, DDoS, and identity theft Hard to defend botnet based attacks –Sheer volume, wide spread Lack of effective method to detect bots in local networks 3

Motivation Utility-based online detection method SPOT –Detecting subset of compromised machines involved in spamming Bots increasingly used in sending spam –70% - 80% of all spam from bots in recent years –In response to blacklisting –Spamming provides key economic incentive for controller 4

Network Model Machines in a network –Either compromised H 1 or normal H 0 – How to detect if a machine compromised as msgs pass SPOT sequentially? –Sequential Probability Ratio Test (SPRT) 5

Sequential Probability Ratio Test Statistical method for testing –Null hypothesis against alternative hypothesis One-dimensional random walk –With two boundaries corresponding to hypotheses 6 A B

SPRT Advantages –Online algorithm Applying to observations arriving sequentially –Fast detection Minimizing average number of observation required –Controlled results False positive and false negative errors can be bounded by user-specified thresholds 7

SPRT X denote a Bernoulli random variable with unknown parameter θ SPRT tests null hypothesis H 0 θ = θ 0 against alternative hypothesis H 1 θ = θ 1 8

SPRT How likely to have sequence of X 1, X 2, …, X n, under H 1 and H 0, respectively? 9

SPRT Test Process Given two constant A and B, where A < B, at each step n, compute How to determine A and B –Let α and β be user-desired false positive and negative rates 10

SPRT Bounds Relationship between actual false positive α’ and false negative β’ and desired ones α and β Average number of observation to reach decision 11

SPOT Detection Algorithm Based on SPRT –H 1 : machine is compromised –H 0 : machine is normal Maintain Λ n for each IP observed Update Λ n in each step Compare Λ n to A and B Terminate when B is approached Restart when A is approached – after resetting Λ n 12

Determining SPOT Parameters Four parameters: α, β, θ 0, θ 1 –α, β are user desired error rates, normally in range 0.01 to 0.05 –Ideally, θ 0 and θ 1 should be probability a normal and compromised machine send spam –SPOT does not require precise knowledge of θ 0 and θ 1 An imprecise (but reasonably) knowledge of θ 0 and θ 1 will only affect N In practice, they can model the false positive and detection rate of spam filter 13

Averaged Number of Observations Required β = 0.01 14

Trace-based Performance Evaluation Two month email trace received on FSU campus net SpamAssassin and anti-virus software –About 73% of all emails are spam 15

Sending IP Addresses 16 –FSU has higher percentage of mixed IP addresses –FSU has higher percentage of IP addresses sending virus

Performance of SPOT –Α = 0.01, β = 0.01, θ 0 = 0.2, θ 1 = 0.9 –110 confirmed by virus information –16 confirmed by high spam sending percentage (> 98%) 62.5% of these are dynamic IP –6 cannot be confirmed by either way –7 machines SPOT identified as normal carried virus 17

Number of Actual Observations 18

Impacts of Dynamic IP Addresses SPOT assumes one-to-one mapping between IP address and machine Intuitively, dynamic IP will not have any major impacts, given fast detection of SPOT 19

Distribution of Spam in Each Cluster –T = 30 minutes –90% of clusters >= 10 spam –96% of clusters >= 3 spam 20

Discussions Practical deployment issues –Msgs may pass a few relay servers before leaving network –Method 1: deploy SPOT at each relay server –Method 2: identify originating machine by Received header Limitation –IID assumption of message arrivals 21

Summary SPOT –Effective and efficient spam zombie detection system –Based Sequential Probability Ratio Test A utility-based detection scheme –How to generalize the idea to detect compromised machines used for other purposes? 22

Download ppt "Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University."

Similar presentations